Configuring IPsec anti-replay
About IPsec anti-replay
IPsec anti-replay protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not required, and the de-encapsulation process consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Restrictions and guidelines
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IKE-based IPsec SAs support anti-replay.
Set the anti-replay window size as small as possible to reduce the impact on system performance.
IPsec anti-replay requires that packets on the same interface be processed on the same slot. To perform IPsec anti-replay on a multichassis IRF fabric for a global interface, use the service command in interface view to specify a service processing slot for that interface. Global interfaces (such as VLAN or tunnel interfaces) are virtual interfaces that might have physical ports across the IRF member devices. For more information about the service command, see VLAN commands in Layer 2—LAN Switching Command Reference or tunneling commands in Layer 3—IP Services Command Reference.
Failure to detect anti-replay attacks might result in denial of services. If you want to disable IPsec anti-replay, make sure you understand the impact of the operation on network security.
Procedure
Enter system view.
system-view
Enable IPsec anti-replay.
ipsec anti-replay check
By default, IPsec anti-replay is enabled.
Set the size of the IPsec anti-replay window.
ipsec anti-replay window width
The default size is 64.